Actionable Asset Insights: The Missing Piece In XDR

Extended detection and response (XDR) is not a new concept in cybersecurity even if the category name was recently coined. The renewed focus means XDR gets a lot of attention, and that’s a good thing for the industry. Good data and analytics have long been known to be vital to assessing risks, identifying threats, and repelling attacks; but the challenge lies in collecting, analyzing, and using the resulting insights in a timely manner. Things move fast in today’s technology enterprises and so anything less than real-time is obsolete. Fortunately, capability has caught up with need in recent years and further cybersecurity innovation drives continued progress.

Gartner describes XDR as an approach to security that “focuses on detecting and responding to threats through increased visibility on networks, cloud, endpoints and other components.” The key phrase in that definition is “increased visibility,” because to know what’s happening in the network requires seeing every nook and cranny of the network. I’ll add to that and argue that visibility has to be “actionable,” meaning it isn’t just about seeing that something is lurking around, but about gaining a deep understanding of where threat actors can hide, move, and do their dirty work undetected.

Gaining Actionable Asset Visibility

As Gartner’s definition implies, when an organization’s IT infrastructure extends from a physical main campus to include facilities distributed across wide geographies and interconnected via the cloud, things get complicated. Then there are many systems comprising the IT estate, including a proliferation of connected assets like Internet of Things (IoT) and Operational Technology (OT). Those assets come with increased risk since they may be installed and managed by teams outside  of cybersecurity, and are unknown or operate undetected.

Our analysis of enterprise IT environments shows that the average attack surface comprises about 40% connected assets, and that as many as 20% of those devices are unmanaged or unknown assets. That creates a challenge for security teams because unknown devices represent a potential attack vector or path. Even devices that can be detected may only show up as a nondescript user device because they run a common operating system and can’t be fully identified using software agents or by a simple scan of the network. But even gaining more visibility isn’t much good if you don’t have a precise understanding of all devices. Without that rich, actionable device intelligence you can’t identify vulnerabilities and adequately protect the enterprise.

Threat actors know this, and they eagerly exploit the gaps in an organization’s asset visibility and intelligence. In fact, Microsoft uncovered a “a sophisticated attack campaign” targeting IoT devices that allows “attackers to hijack SSH credentials, move laterally within networks and conceal malicious SSH connections.” This is the type of activity that XDR could potentially detect and prevent, but only when the data used in XDR analysis is gathered from all assets connected to the network, including those operating in the shadows. That data must include things like device location, business purpose, normal operational parameters, industry-specific threat intelligence, known vulnerabilities, and other in-depth information that can’t be gleaned from typical discovery and monitoring methods. 

Averting Hidden Threats

Another threat that has been in the headlines recently, and that capabilities consistent with an XDR approach to security could help to avert, is that of assets and systems that are at risk of exploitation because of vulnerabilities in their software makeup or improper installation. 

Last year it was revealed that the cl0p ransomware gang began an attack campaign against Progress Software’s popular managed file transfer (MFT) platform MOVEit, exploiting a weakness that made the product vulnerable to attacks and allowing unauthenticated parties to control its installation, potentially leading to data alteration or theft, malicious software installation, and server configuration changes.

The situation was discovered in late May of 2023 when someone noticed anomalous activity involving their organization’s MOVEit instance and alerted Progress. A fix was issued within a few days, but despite the rapid patch release, the attack—two years in the making—was quick to unfold and breach disclosures soon followed. Today independent GRC analyst and research firm KonResearch says the attack breached more than 2,600 organizations affecting nearly 90 million people.

It’s worth pointing out that the attack was revealed because a customer happened to notice operational anomalies and, digging deeper, discovered suspicious activity. This illustrates the importance of maximizing contextual visibility into all enterprise assets. When the MOVEit instance acted in a way that was unexpected, it prompted an investigation and that led to the discovery of an attack. MOVEit’s primary function is to send and receive data, usually large amounts of important, regulated data. If a threat actor manages to gain control of a product like that, it can be devastating, transforming MFT software into an ideal platform for data theft and exfiltration.

Accelerating Detection and Response

The objective of XDR is to enable better detection and response. Integrating assets and context visibility into an XDR tool accelerates the process identifying anomalies within the network. Most network assets operate within a determinative range and this baseline “normal activity or communications pattern” can be identified and analyzed by using artificial intelligence. If an organization detects abnormal device activity straying beyond the range of expected behavior, it may be an early indicator of a compromise. This means policies and responses can be automated to quickly quarantine the device. This is the value of XDR, but it can only function at a high level when there is complete visibility into assets and their context.

There is a trend toward increasing asset visibility and enabling capabilities consistent with extended detection and response. When the U.S. Cybersecurity Infrastructure & Security Agency (CISA) issued Binding Operational Directive 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks in October 2022, it stated, “Continuous and comprehensive asset visibility is a basic precondition for any organization to effectively manage cybersecurity risk.” That is a strong endorsement for the value of XDR and for organizations to embrace the means of seeing across IT infrastructure to take a complete inventory of all network assets and gain a deep understanding of context and communications flows that can lead to vastly improved security.

Maximizing XDR Efficacy

To maximize the efficacy of your organization’s XDR implementation, you must feed your XDR platform with rich, accurate, and relevant data from trusted sources, including:

• Rich device data from all connected assets
• Real-time device communications flows
• Threat intelligence feeds
• Security monitoring tools
• Up-to-date CMDB

Ordr can discover and identify all connected assets in the enterprise inventory, providing unmatched detail on millions of devices through the Ordr Data Lake, monitoring and analyzing their communications flows in the context of your specific business risk profile. Contact us to learn how the integration across all security and IT operations tools offers an ideal complement to any XDR platform to support the best possible threat detection and response.

---